Imagine for a minute that you’re the chief security officer (CSO) at an organization that owns and operates power facilities. As a primary responsibility, you’re accountable for implementing a defense-in-depth cybersecurity strategy that ensures the availability, confidentiality and integrity of the mission-critical systems that transmit power to millions of people. Unplanned downtime is not an option, for any disruption in service would have numerous safety, security and economic consequences.
Fully aware of the internal and external cyber threats to critical infrastructure, you implement a stringent security strategy that includes advanced phishing detection; network monitoring & anomaly detection, multi-factor authentication, firewalls and endpoint security. Additionally, all employees—from the lowest level engineer to the C-Suite—are mandated to complete phishing awareness training annually. Your facility is cyber-secure” so you think.
One morning, a group of engineers arrive at work and find an email in their inbox addressed from you. The message is positioned as urgent, asking employees to take 5 minutes and visit a webpage – which is hyperlinked – to immediately change personal login controls due to unauthorized attempts at network access.
One email recipient suspects it might be spear-phishing, so he ignores it for now, intending to report it when he has time. The second is not so apathetic. A steadfast rule follower, though not so cyber savvy, he immediately clicks on the link, which takes him to a new webpage to change his password. He completes the form, thinking he has done his job, and goes on with his day.
A few days later, you as the CSO are alerted to the spear-phishing attempt, and subsequently inform all employees of the social engineering campaign. Unfortunately, your notification is too little too late. Immediately after the employee completed the form, the hacker was able to gain access to the network. While no critical damage was done, it will cost valuable time, money and resources to remediate the breach. In the meantime, the network is compromised and the availability, confidentiality and integrity of the control systems you’re responsible for are now at heightened risk.
Although this scenario is hypothetical, it is highly realistic. Today, many critical infrastructure organizations spend unprecedented dollars on cybersecurity, including phishing education training, yet it takes just one person to act on a devious email for the entire organization to be compromised.
The Limitations of Phishing Awareness Training
To minimize phishing’s risk, many organizations, including those within critical infrastructure, invest heavily in employee education and training, recognizing the human factor as the weakest link in security. However, employee training alone is costly and time consuming, and it is difficult to keep up with the latest method of phishing attack. This is especially true within operational technology (OT) environments in which employees often have limited education in IT security principles and vulnerabilities in equipment differ from manufacturer to manufacturer.
However, 95 percent of successful cyberattacks originate from a successful phishing campaign, according to the recent IBM Security Officer Assessment. Spear-phishing, an advanced type of phishing in which an email or text appears to be from a colleague or business, is used in almost 40 percent of all attacks and is opened 70 percent of the time. A successful spear-phishing campaign provides 10 times the return on investment (ROI) compared to lower-quality phishing emails sent en masse, according to the InfoSec Institute.
Furthermore, the economic benefits of investment in phishing education are minimal. Today, the average 1000-person company saves only 10 percent of attack losses as a result of “substantial training and security awareness activities,” according to the Ponemon Institute. But perhaps the most devastating blow to phishing education as a primary defense comes from a study summarized in Ars Technica, in which 56 percent of people claiming to be aware of phishing risks clicked on unknown links within emails addressed to them by name.
Securing Electric Transmission Begins with Catching the Phish
One of the most mainstream critical infrastructure cyberattacks happened in December 2015, when a Ukrainian power company experienced unplanned outages. Upon analysis, it was determined that the event originated as a spear-phishing attack. In January 2016, a successful phishing attack containing ransomware hit Israel’s Electric Authority. While the damages in both cases were minimal, the events reinforce the viability of the phishing threat and just how problematic it is to an industry that remains on high alert.
For personnel within the power industry, in which integrity and reliability are of the utmost importance, putting the burden on engineers to thwart frequent and sophisticated phishing attacks is as much unrealistic as it is unfair. Nevertheless, electric transmission and smart grid professionals are often tasked as cyber detectives to help keep critical infrastructure safe and secure.
No organization can decrease the prevalence of phishing, however, reducing the effectiveness of phishing is proven minimize risk. If you can stop the source of 90 percent of attacks, then your organization’s security will improve. Here are five ways electric transmission and smart grid security pros can mitigate phishing without relying on employee awareness and training:
· Utilize DomainKeys Identified Mail (DFI), Sender Policy Framework (SPI) or Domain Message Authentication & Reporting (DMAR) to verify authenticity of email sender.
· Identify all connections to and from your SCADA network, enumerate overall connections, and closely monitor them within your SCADA network to the internet or the DMZ.
· Share intelligence with the entire industry, even the competition, so that all power companies can proactively prepare to protect their assets from attacks that are trending.
· Deploy cybersecurity solutions that can automatically identify phishing and start the remediation process without human intervention. With phishing, the time from attack to remediation is of the essence.
· Define a baseline of “normal” network activity and strictly define what is considered to be known and unknown and what is not allowed. Constantly monitor and log all SCADA traffic to identify deviations from the norm.
Looking ahead into 2017, cybersecurity will remain one of the power industry’s biggest threats. Fortunately, we know how those concerns manifest most often – with phishing.
About the author: Eyal Benishti is the founder and CEO of IRONSCALES, the first and only multi-layered phishing mitigation solution to combine human intelligence with machine learning. He can be reached at Eyal@ironscales.com.